Salesforce’s New Email Domain Verification Explained

•March 27, 2026

Salesforce Ben•Mar 27, 2026

Key Takeaways

•Salesforce blocks emails from unverified custom domains
•DKIM verification is recommended over simple domain verification
•Public providers like Gmail and Outlook are exempt
•Sandbox enforcement begins April 7, production April 27, 2026
•Admins check status via DKIM Keys or Authorized Domains

Summary

Salesforce is mandating verification of any custom email domain used to send messages from its platform, effective with the Spring ’26 release. Administrators must configure either a DKIM key or an Authorized Email Domain record to prove ownership, or outbound emails will be blocked. The rollout starts April 7, 2026 for sandboxes and April 27, 2026 for production orgs. Public providers such as Gmail and Outlook remain exempt from this requirement.

Pulse Analysis

Email authentication has moved from optional best practice to mandatory compliance across most cloud platforms. Major inbox providers such as Gmail and Yahoo now enforce stricter SPF, DKIM and DMARC policies to curb phishing and spoofing, and Salesforce is aligning its outbound mail engine with that ecosystem. Starting with the Spring ’26 release, every Salesforce org must prove ownership of any custom domain used to send messages, otherwise the platform will refuse delivery. This change mirrors a broader industry push to ensure that only verified senders can leverage powerful automation and CRM‑driven communications.

Admins can satisfy the requirement in two ways. The preferred method is to create a DKIM key, which validates domain ownership and signs every outbound email, improving inbox placement. The process involves generating a selector in Setup → DKIM Keys, adding the supplied CNAME records to the DNS zone, and activating the key once propagation completes. Organizations that prefer a simpler approach can use the Authorized Email Domains feature: a TXT record proves ownership, after which the domain can be marked verified in Setup. Both paths are visible in the DKIM Keys or Authorized Email Domains pages, allowing administrators to audit compliance instantly.

The business impact is immediate: any unverified custom domain will see email sends blocked, causing delays in sales outreach, automated notifications, and customer service workflows. By enforcing verification, Salesforce reduces the attack surface for credential‑phishing campaigns that exploit trusted CRM branding, thereby protecting both the vendor’s reputation and its customers’ data. Organizations should prioritize verification before the April 7 sandbox deadline and the April 27 production cut‑off to avoid service interruptions. Looking ahead, tighter email controls are likely to become standard across SaaS providers, making early adoption of DKIM and DMARC a competitive advantage for firms that rely heavily on digital communication.